• delivr.to Feed
  • Attachment: HTML with Clipboard Copy
High Severity

Attachment: HTML with Clipboard Copy

Labels

No labels.

Description

A HTML attachment, sent by an unsolicited sender, that includes a JavaScript method that writes content to the user's clipboard. This is typically employed as part of a pastejacking attack, whereby the user is encouraged to paste the content into their terminal and execute it to achieve infection.

@delivr_to
Created Nov 28th, 2024 • Last updated Nov 28th, 2024
Feed Source
delivr.to Feed
Source
type.inbound

and any(attachments,
    // File is a HTML file type or an archive
    (
        regex.imatch(.file_extension, '^[sdx]{0,1}ht[ml]{0,2}$') or
        .file_extension in~ $file_extensions_common_archives or
        .file_type == "html"
    ) and 
    any(file.explode(.),
        any(.flavors.yara, . == "javascript_file") and

        // Meta tag includes refresh and file:// strings
        any(.scan.strings.strings,
          strings.ilike(.,
              '*document.execCommand("copy")*',
              '*navigator.clipboard.write(*',
              '*navigator.clipboard.writeText(*'
          )
        )
    )
)

and (
  (
    // unsolicited
    not profile.by_sender_email().solicited
    // negate highly trusted sender domains unless they fail DMARC authentication
    and (
        (
          sender.email.domain.root_domain in $high_trust_sender_root_domains
          and (
            any(distinct(headers.hops, .authentication_results.dmarc is not null),
                strings.ilike(.authentication_results.dmarc, "*fail")
            )
          )
        )
        or sender.email.domain.root_domain not in $high_trust_sender_root_domains
    )
  )
  or sender.email.domain.domain == "delivrto.me"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.